Godspeed curtain twitchers: DPDP and its peers just got ruthless

No curtains. No blinds. Just open for the world to look in. If you have ever heard this interesting trivia about Dutch culture (as shared by some architecture and culture experts); you will not be surprised to be in a Dutch land and find that these houses, often, have the windows actually open. They edify the cultural essence of transparency and honesty- and that there is ‘nothing to hide’. Some even use it to showcase their interior decorations and the view is open to streets and passers-by.

As intriguing as it sounds, and exactly why it sounds so- this is not how all cultures operate. Not all people shut their windows down. Not all pull the curtains apart. Some don’t even have windows in some rooms. Some have them open even in the bathrooms. The decision is, however, THEIRS! And it may change as per the time of the day, the season, the mood and who is inside. Privacy, above everything else, is a very personal realm. It is diverse in its spectrum. Its approach and degree can change as per the person inside the room. But it can never be forced to adapt to the person on the other side of the window.

Something that DPDP might finally bring about with its new emphasis and approach. After the Ministry of Electronics and IT officially notified the Digital Personal Data Protection (DPDP) Rules, 2025 recently, and set the stage for India’s privacy-first economy, a lot of its guardrails will be set in place over the next 18 months, and in phases. But the winds of change are already blowing over many windows. This move marks the full operationalisation of the Digital Personal Data Protection Act, 2023 (DPDP Act) setting a clear and citizen-centred framework for the responsible use of digital personal data- as stated by the government - placing equal weight on individual rights and lawful data processing. This could be a big hammer on the slippery nail of data privacy and the window of individual rights. Will it mean new bricks (on the windows or for those hands who want to break them)?

Here’s a guess at what will change, for whom and how much.

For The Customer: Not Just More Rights. But Right Buttons too.

So we won’t have to share our numbers or show our boarding pass/QR code when forced by an airport counter or during a movie-break? Perhaps not now. “This has to change. A customer can now complain and opt out if a certain service or feature (like shopping points) apparently depends on that data.” Reflects Tisha Bhambry, Director Analyst - Data Privacy- at Gartner. “it’s not just a problem at airports or movie-counters but also at big US brand stores like Puma or Adidas which cannot ask for data from Indians but they do. There was no effective law to stop this, so far. But in the next 18 months there will be a shift.” She is assuredly hopeful on that. And there is a big reason for that as she explains further. “This is no more about ticking the boxes now but about how to practise data privacy in a tangible manner. An important factor now for organisations will be - to ‘actually’ do it. Here’s how.

For the enterprises: More than a new rule-book, a new perspective

Privacy is no more a check-box, echoes Kelvin Cheema, Global Chief Information Officer, CIO and Managing Director, Global Transformation & Change, Acuity Analytics. “The data privacy landscape in 2026 has shifted from compliance to consequence. As enforcement of India’s DPDPA 2023 matures, privacy is no longer a legal checkbox but a foundation of digital trust.”

Data privacy is evolving into the currency of digital trust. In the 2020s, data was power, by 2030, trust will be. The organisations that thrive will be those that can prove integrity in every byte, where transparency, security, and accountability are encoded into digital systems from inception.

- Kelvin Cheema, Global CIO, Acuity Analytics

In November 2023, India’s Digital Personal Data Protection Act (DPDPA 2023) became not only a legal framework but one that would actually be enforced, explains Deepak Yadav, Cyber security expert and Founder - Cyberrakhwala. “Now, rules published by MeitY call for organisations to show tangible responsibility - strong consent management, minimisation of data collected, more effective information security measures, as well as trustworthy governance. With fines becoming sizable and supervisory requirements rising, compliance is no longer just a matter of policy.”

The next step is moving from ‘compliance theatre’ to verifiable trust. As we move through 2026, enforcement of privacy laws is becoming more strict--and privacy itself is shifting from a nebulous concept to reality.

- Deepak Yadav, Cybersecurity Expert

Yes. Organisations will have to work on privacy very seriously- in everyday business operations and in every area, Bhambry cautions. They will have to make sure it pervades product development, processes (From the onset), internal audit, regular training and the very culture of that company and its employees. Enterprises will have to focus on individual rights, consent protocols and data governance.”

There is no doubt that data privacy is going to get stronger, transparent, and comprehensive, affirms Advocate Dr. Bhavna Sharma, Delhi High Court. Cybercrime Expert and Legal Consultant, Delhi Police and a techno-legal policy professional. But it is also going to get complex in 2026 as it shifts from abstract legal principles to a tangible operational mandate with the notification of the DPDPA Rules, 2025, adds Dr. Sharma (who has also been part of the core team responsible for drafting the Digital Personal Data Protection Act, 2023, the Digital India Bill, and the Information Technology Rules).

For India, while the core operational rules come into effect 18 months after notification, i.e., around mid-May 2027, 2026 will be a preparation year.

- Dr. Bhavna Sharma, Cybercrime Expert and Legal Consultant

In India, the DPDPA’s maximum penalties of up to ₹250 crore for serious offenses will deter non-compliance, mirroring the multi-million-euro fines under the EU’s GDPR and signaling India’s exit from a ‘soft enforcement’ era, Dr. Sharma illustrates. “This enforcement wave will target high-risk sectors like fintech, healthtech, e-commerce, and telecom, which process vast sensitive data volumes and face heightened cyber vulnerabilities. Regulators, including India’s Data Protection Board (DPBI), will probe not just breaches but proactive failures in consent mechanisms, data minimisation, and cross-border audits, demanding ‘compliance by design’ as a survival imperative.”

The big difference that Bhambry stresses on is that now data privacy will become a board-level matter. “It will not be an IT or compliance issue but a board level concern and will shift to a top-to-bottom fabric now.”

Accountability and effectiveness will define real success- as many wonder and worry.

And the question continues to be: is this making an actual difference? Asks Yadav. “Where rules have become clear and enforcement predictable, progress is visible. But the backlash relies on consistent auditing, transparent guidance, and political will to challenge non-compliance. Frameworks are out there, but any change in the real world will come down to how regulators, companies and technology providers work with them.”

It is not just the regulatory moves that will strengthen data privacy, but more that will add both teeth and eyes ahead. Dr. Sharma gives some examples: the judicial contributions by entertaining writs and PILs on alleged right to privacy violation, seeking response from the government in a way alarming the government about emerging issues and challenges faced by citizens in exercising their right to privacy -thereby urging government action on privacy gaps, are reinforcing the fundamental right under Article 21. “Prime examples of such petitions are -Ashwini Upadhyay v. UOI, Karmanya Sareen v. UOI, Rajat Arora v. UOI, and Bhavna Sharma v. UOI. Globally as well, legislatures and judiciaries in major economies are tightening oversight on data fiduciaries’ preventive obligations, fostering a deterrence-based ecosystem.”

Some progress is visible, Yadav adds an optimistic angle. “Organisations are more aware, consent practices are improving, and security baselines have strengthened. But true accountability still needs stronger enforcement, standardised breach-disclosure norms, and independent audits with penalties that create real deterrence.” Exactly, where regulators and regulations arrive.

For Regulators, And Implementation Folks

It has taken more than 12 years to get the DPDP act in India with detailed notifications, a revolutionary initiative in the right direction, reckons Prof. Nityesh Bhatt, Director, Institute of Management and Professor of Information Management Area, Nirma University. “But its enforcement and monitoring are going to be a key challenge with the sheer size of Indian digital economy and humongous user base. “Regulation is also going to face difficulty. Impact assessment cannot be seen immediately. Minimum one to two years will be needed for its outcome.” He dissects as he emphasises on capacity-building to take as the next direction on this path.

Since 2017, privacy has shaped into citizens’ fundamental rights but  how many Indians are aware about it. Another question is how much privacy can be assured in an era with cell towers, CCTV and other constant surveillance technologies across the length and breadth of the country.

- Prof. Nityesh Bhatt, Nirma University

What’s interesting in this new realm is how EU and GDPR regulations as well as MeitY’s localisation emphasis can drive a new and stringent direction on implementing privacy in a proactive, cohesive and tangible manner. Sovereignty is no more a brochure item in many technology companies, it is turning into a big ‘ask’ both by cloud customers and regulators overseeing them.

Regulation is no longer reactive, it’s becoming anticipatory, reasons Cheema. “The next wave of global privacy laws reflects a shift from punishing breaches to preventing misuse by design. The EU AI Act and GDPR 2.0 are setting a high watermark for digital ethics, where AI explainability, accountability, and human oversight are mandatory.

Yadav adds how as India moves into full-scale enforcement of the DPDPA 2023, the privacy landscape will become far more accountability-driven. “Organisations will need to demonstrate not just compliance on paper but ‘measurable’ data protection practices—especially around purpose limitation, consent validity, and data retention. India is moving toward a “privacy-by-default” mindset, and regulators are increasingly focusing on demonstrable outcomes, not checklists.

“India’s DPDPA and MeitY’s localisation mandates echo a growing consensus that data sovereignty equals digital sovereignty. Governments are recognising that control over citizen data is foundational to national security and economic resilience.” Cheema explains.

In an era marked by competition among nations with their own data systems, state leaders are taking control, Yadav observes. “They are not willing to allow strategic assets to slip through their fingers. And as a result, the government calls for ‘localisation’ to trap extra-territorial storage simply because it has yet to be regulated by authorities in those countries.

However, localisation is not isolation, Cheema argues. “The world is moving toward federated data governance, enabling innovation through shared intelligence while keeping sensitive data sovereign. This requires a global privacy protocol that balances autonomy with interoperability.”

For Technologists: Land-mine or Gold-mine?

Localisation can have many contours and connotations- and some Cloud providers have already felt that impact. So would privacy be the death knell on companies that have their entire business models running on first-party to third-party data monetisation and sharing? Or would it be a new economy altogether?

Also- Would digital identities, data sovereignty, anonymisation, and decentralised models be enough to ensure privacy in a technology-driven world?

Not yet, feels Cheema. “But they are critical building blocks of what I call ‘distributed trust architecture’.  Digital identities and decentralised data models represent a paradigm shift from control to empowerment. However, technology alone cannot guarantee privacy. Anonymisation, encryption, and zero-knowledge proofs are essential, but without ethical intent, they risk being tools without conscience. The future of privacy will depend on intentional design, not incidental protection.”

All these options: digital identities, distributed models, anonymisation tools – can be a tool to protect privacy, but will never replace governance, Yadav argues. “There needs to be movement towards real opt-in. That translates to getting rid of dark patterns, designing clear consent flows, and putting users in practical control instead of giving them legalistic notices.

Emerging models such as self-sovereign identity (SSI) and federated data ecosystems hold immense promise, Cheema cites. But ultimately, privacy will be achieved not through technological fences but through architectures of choice, he stresses -where individuals decide how data defines them and where organisations design systems to honour that choice.

But these tools are not water-proof when it comes to cracks that compromise privacy. A decentralised system with weak access controls still creates vulnerability, warns Kulkarni. “An anonymised dataset loses value if re-identification risks are not monitored over time, especially in an AI environment where algorithms can cross-reference multiple sources. Digital identity ecosystems also demand continuous verification, fraud monitoring and clear rules for usage.”

Even existing software industry practices will have to do a lot of churn. Shrish Ashtaputre, Senior Technical Director Engineering, Calsoft tells how QA, for instance, will change. “With India’s DPDP and EU’s tightening frameworks, QA now includes data lineage validation, consent enforcement, and anonymisation testing.”

With India’s DPDP and EU’s tightening frameworks, QA now includes data lineage validation, consent enforcement, and anonymisation testing.

- Shrish Ashtaputre, Senior Technical Director Engineering, Calsoft

For India: A Game-Changer, Specially after AI

Globally, we’re witnessing the rise of interoperable privacy regimes, frameworks that allow lawful data movement while upholding accountability and transparency, Cheema notes. “The EU AI Act, India’s DPDPA, and emerging U.S. state-level privacy laws are aligning around a shared principle, organisations must demonstrate responsible data stewardship, not just compliance documentation.”

AI has certainly accelerated this urgency, Cheema observes. “When algorithms train on global data, the responsibility to safeguard individuals transcends borders. Privacy by design is evolving into AI governance by architecture, embedding consent, explainability, and data minimisation directly into models and systems.”

Governments are no longer debating whether AI needs guardrails. They are defining what responsible AI looks like and how personal data should travel through digital systems, assesses Praveen Patil Kulkarni, Director - Security, Risk & Governance at OpenText India. “Europe is tightening its position through the EU AI Act and emerging conversations around a GDPR revision. North America is building sector-specific guidance, and countries across Asia are adopting stricter consent, retention and transparency requirements. India’s DPDP Act and the recently notified rules place the country firmly within this global shift.”

Technology will provide the scaffolding, and governance will determine the integrity of that scaffolding.

- Praveen Patil Kulkarni, OpenText India

At the same time, complications and complexity are lines that can get blurred ahead. As Ashtaputre points out, regulations are forcing better discipline, but they also complicate global rollouts. “Every geography now has its own flavor of privacy law, which means QA must validate behavior across multiple legal contexts. In the long run, though, this will lead to privacy-by-default architecture, which is a win for both users and engineers.”

As Bhambry captures it, GDPR applies to about 450 million people but Indian regulations affect over 1.4 billion people. Their impact is more than that of GDPR.” She encapsulates it not just as a transformation but an opportunity for India- when you look at it from that angle and that of a digital economy. “It’s a great time to shine, to improve and to build digital trust. Now we have 18 months to get going on that. And India will move from a fragmented and sectoral landscape to a unified approach and a bigger picture in terms of how the industry adapts to it. It’s about digital trust and not just compliance now. India will not be just at par with global privacy norms, but will influence them ahead.”

For everyone

Worldwide, the change is palpable. Winds of change in regulations are following the butterflies that new technologies and models are creating.

A lot will, and should, change with DPDP’s new teeth. By 2026, at least one high-profile Indian firm will face record DPDPA fines, underscoring enforcement’s teeth and compelling organisations to embed privacy in their core operations, augurs Dr. Sharma.

It cannot be cast in stone though contends Dr. Bhatt. “India generates about 20 per cent of global data but our share of global data centre capacity is a meagre three per cent, leading to heavy dependence on digital infrastructure established on foreign shores. Rapidly changing technologies like Gen AI, Cloud, analytics etc. will demand changes in the act too.”

Data privacy is becoming an instrument of trust and trade, concludes Cheema. “The winners will be those who treat privacy not as restriction but as a strategic differentiator, proving that ethics and innovation can coexist in the same algorithm. The future of privacy isn’t about hiding data, it’s about using it responsibly. The next decade will belong to leaders who understand that protecting privacy is not the end of innovation, it’s the foundation that makes innovation sustainable.”

Speaking of hiding, let’s move to those windows again. Another interesting trivia about them is that of Window Tax. Yes, there was once a tax like this – used as a property tax based on the number of windows in a house- and it was in force in England, Scotland, France and Ireland during the 18th and 19th centuries. Despite a lot of oppositions and arguments that it was a potential threat to personal liberty, Adam Smith (in ‘The Wealth of Nations’) opined that the tax was relatively inoffensive. Why? Simply because its assessment did not need the assessor to enter the residence. Windows could be counted from the outside. Unlike the hearth tax. Which was assessed as per the number of hearths inside a house. And a lot of resentment against it emerged from the very part that it required inspection of the interior of dwellings by the sub-collectors and petty constables. Any of these authorities could enter any person’s house and search it at pleasure. That rubbed hard- more than the intent of the law. Of course, it came to a dead-end soon. And towards the end of the Glorious Revolution in 1688, William III and Mary II signed the English Bill of Rights 1689. The hearth tax was repealed.

History repeats itself. Hopefully, the new genre of regulations, India and globally, would ensure that apps, companies, services, websites and the information-economy do not force people to show their hearths and windows by force or by manipulation. Hearth, window or data- the operative and sacred word is still the same: Privacy.

Oh, by the way, any guess where did King William III and his wife Mary II hail from? The Dutch Republic.

pratimah@cybermedia.co.in